diff mbox

clk: core: Copy connection id

Message ID 60d115f6c11bc51cd8bc10c64cd222c3cdb43cc7.1487596492.git.leonard.crestez@nxp.com (mailing list archive)
State Accepted
Delegated to: Stephen Boyd
Headers show

Commit Message

Leonard Crestez Feb. 20, 2017, 1:20 p.m. UTC
Some drivers use sprintf to build clk connection id names but the clk
core will save those strings and occasionally print them back. Duplicate
the con_id strings instead of fixing all the users.

Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
---
 drivers/clk/clk.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Some examples of using sprintf for con_id include:
drivers/mfd/omap-usb-host.c
drivers/tty/serial/samsung.c
sound/soc/fsl/fsl_asrc.c

There are lots more. They are difficult to find and "fixing" them on the
consumer side requires nasty code to keep track of the allocated clkname.

Comments

Stephen Boyd Feb. 24, 2017, 8:44 p.m. UTC | #1
On 02/20, Leonard Crestez wrote:
> Some drivers use sprintf to build clk connection id names but the clk
> core will save those strings and occasionally print them back. Duplicate
> the con_id strings instead of fixing all the users.
> 
> Signed-off-by: Leonard Crestez <leonard.crestez@nxp.com>
> ---
>  drivers/clk/clk.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> Some examples of using sprintf for con_id include:
> drivers/mfd/omap-usb-host.c
> drivers/tty/serial/samsung.c
> sound/soc/fsl/fsl_asrc.c
> 
> There are lots more. They are difficult to find and "fixing" them on the
> consumer side requires nasty code to keep track of the allocated clkname.

Good catch. What about dev_id though? That could also have the
same problem if some device is removed and we're still holding a
reference to the kobject's name. This is probably more rare than
what is happening here, but still seems possible that we might
trip over that later.
Leonard Crestez Feb. 25, 2017, 9:20 a.m. UTC | #2
On Fri, 2017-02-24 at 12:44 -0800, Stephen Boyd wrote:
> On 02/20, Leonard Crestez wrote:

> > Some drivers use sprintf to build clk connection id names but the

> > clk

> > core will save those strings and occasionally print them back.

> > Duplicate

> > the con_id strings instead of fixing all the users.

> 

> Good catch. What about dev_id though? That could also have the

> same problem if some device is removed and we're still holding a

> reference to the kobject's name. This is probably more rare than

> what is happening here, but still seems possible that we might

> trip over that later.


A device should normally free the clks it uses before it is destroyed.
This means that if dev_id is pointing to freed memory then the clk
itself was probably leaked, right?

This is obvious misuse of the API, not like sprintf-ing a con_id in a
complex driver. I don't really think it's worth copying strings for it.

--
Regards,
Leonard
Stephen Boyd Feb. 28, 2017, 8:05 a.m. UTC | #3
On 02/25, Leonard Crestez wrote:
> On Fri, 2017-02-24 at 12:44 -0800, Stephen Boyd wrote:
> > On 02/20, Leonard Crestez wrote:
> > > Some drivers use sprintf to build clk connection id names but the
> > > clk
> > > core will save those strings and occasionally print them back.
> > > Duplicate
> > > the con_id strings instead of fixing all the users.
> > 
> > Good catch. What about dev_id though? That could also have the
> > same problem if some device is removed and we're still holding a
> > reference to the kobject's name. This is probably more rare than
> > what is happening here, but still seems possible that we might
> > trip over that later.
> 
> A device should normally free the clks it uses before it is destroyed.
> This means that if dev_id is pointing to freed memory then the clk
> itself was probably leaked, right?

Sure. clk_get_sys() could be called and then we could have
something sprintf the dev_id there. A quick grep doesn't show any
place where that happens though so it seems safe right now.

That said, it would be nice to clearly document that we don't
expect dev_id to be freed or changed during the lifetime of the
clk structure, but we do allow con_id to change. Perhaps the copy
shows that, but a comment would also be useful so we don't have
people wondering why dev_id isn't copied as well.

> 
> This is obvious misuse of the API, not like sprintf-ing a con_id in a
> complex driver. I don't really think it's worth copying strings for it.
> 

Ok.
Leonard Crestez March 2, 2017, 12:45 p.m. UTC | #4
On Tue, 2017-02-28 at 00:05 -0800, sboyd@codeaurora.org wrote:
> On 02/25, Leonard Crestez wrote:

> > 

> > On Fri, 2017-02-24 at 12:44 -0800, Stephen Boyd wrote:

> > > 

> > > On 02/20, Leonard Crestez wrote:

> > > > 

> > > > Some drivers use sprintf to build clk connection id names but

> > > > the

> > > > clk

> > > > core will save those strings and occasionally print them back.

> > > > Duplicate

> > > > the con_id strings instead of fixing all the users.

> > > Good catch. What about dev_id though? That could also have the

> > > same problem if some device is removed and we're still holding a

> > > reference to the kobject's name. This is probably more rare than

> > > what is happening here, but still seems possible that we might

> > > trip over that later.

> > A device should normally free the clks it uses before it is

> > destroyed.

> > This means that if dev_id is pointing to freed memory then the clk

> > itself was probably leaked, right?

> Sure. clk_get_sys() could be called and then we could have

> something sprintf the dev_id there. A quick grep doesn't show any

> place where that happens though so it seems safe right now.

> 

> That said, it would be nice to clearly document that we don't

> expect dev_id to be freed or changed during the lifetime of the

> clk structure, but we do allow con_id to change. Perhaps the copy

> shows that, but a comment would also be useful so we don't have

> people wondering why dev_id isn't copied as well.


This should be mentioned on the public documentation for clk_get_sys,
clk_get and devm_clk_get, right? These seem to be the public entry
points to the clk subsystem and users are expected to read their docs.

Do you want me to resend the patch with these notes?

I'm not comfortable adding to documentation when I don't fully
understand the system myself. I only discovered this while looking into
unrelated driver issues.
Stephen Boyd March 7, 2017, 1:53 p.m. UTC | #5
On 03/02, Leonard Crestez wrote:
> On Tue, 2017-02-28 at 00:05 -0800, sboyd@codeaurora.org wrote:
> > Sure. clk_get_sys() could be called and then we could have
> > something sprintf the dev_id there. A quick grep doesn't show any
> > place where that happens though so it seems safe right now.
> > 
> > That said, it would be nice to clearly document that we don't
> > expect dev_id to be freed or changed during the lifetime of the
> > clk structure, but we do allow con_id to change. Perhaps the copy
> > shows that, but a comment would also be useful so we don't have
> > people wondering why dev_id isn't copied as well.
> 
> This should be mentioned on the public documentation for clk_get_sys,
> clk_get and devm_clk_get, right? These seem to be the public entry
> points to the clk subsystem and users are expected to read their docs.

Sure. Except those are not just implemented for the common clk
framework, so the wording will need to be generic. Also we have
some more entry points like of_clk_get() too that would need a
note.

> 
> Do you want me to resend the patch with these notes?

No. I've applied this current patch to clk-fixes.

> 
> I'm not comfortable adding to documentation when I don't fully
> understand the system myself. I only discovered this while looking into
> unrelated driver issues.

Ok. I can take care of sending the patch.
diff mbox

Patch

diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 0fb39fe..67201f6 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -2502,7 +2502,7 @@  struct clk *__clk_create_clk(struct clk_hw *hw, const char *dev_id,
 
 	clk->core = hw->core;
 	clk->dev_id = dev_id;
-	clk->con_id = con_id;
+	clk->con_id = kstrdup_const(con_id, GFP_KERNEL);
 	clk->max_rate = ULONG_MAX;
 
 	clk_prepare_lock();
@@ -2518,6 +2518,7 @@  void __clk_free_clk(struct clk *clk)
 	hlist_del(&clk->clks_node);
 	clk_prepare_unlock();
 
+	kfree_const(clk->con_id);
 	kfree(clk);
 }